Sample customizations
Use OGNL expressions to customize assertions and authentication requests in different ways.
Add SessionNotOnOrAfter to assertions
This expression adds the optional SessionNotOnOrAfter
attribute to the <AuthnStatement>
element and sets the value to 60 minutes.
- Message Type
-
AssertionType
- Expression
#cal = new org.apache.xmlbeans.XmlCalendar(new java.util.Date()), #cal.setTimeZone(@java.util.TimeZone@getTimeZone("UTC")), #cal.add(@java.util.Calendar@MINUTE, 60), #AssertionType.getAuthnStatementArray(0).setSessionNotOnOrAfter(cal)
- Expected assertions
... <saml:AuthnStatement ... AuthnInstant="2015-03-20T16:27:37.344Z" SessionNotOnOrAfter="2015-03-20T17:27:37.398Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>...</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> ...
Use well-formed XML as attribute value
The following expression inserts well-formed XML in the <AttributeValue>
element if the Attribute Name Format is urn:pingidentity.com:SAML:attrname-format:xml:complex
.
- Message Type
-
AssertionType
- Expression
#i = 0, #AssertionType.getAttributeStatementArray(0).getAttributeArray().{ #this.getNameFormat().equals('urn:pingidentity.com:SAML:attrname-format:xml:complex')?{ #xml = #this.getAttributeValueArray(0).getStringValue(), #ast = @org.sourceid.saml20.xmlbinding.assertion.AttributeStatementType$Factory@parse(#xml), #AssertionType.getAttributeStatementArray(0).setAttributeArray(#i, ast.getAttributeArray(0)) }:null, #i = #i+1 }
Line breaks are inserted for readability only. Statements calling methods whose arguments are enclosed in quotes must be entered on a single line. |
This example uses well-formed XML as the attribute value for attributes that are configured as urn:pingidentity.com:SAML:attrname-format:xml:complex
(a custom attribute name format added to <pf_install>/pingfederate/server/default/data/config-store/custom-name-formats.xml
) in the Attribute Contract window. You can use other application logic here.
- Sample inputs (attributes and their values)
Attribute Name |
ExtAttr1 |
Attribute Name Format |
urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified |
Attribute Value |
|
Attribute Name |
ExtAttr2 |
||
Attribute Name Format |
urn:pingidentity.com:SAML:attrname-format:xml:complex |
||
Attribute Value |
<saml:Attribute xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Name="ExtAttr2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:customNs="http://www.sample.tld/customnamespace"> <customNs:Line>Documentation</customNs:Line> <customNs:Line>Ping Identity</customNs:Line> </saml:AttributeValue> </saml:Attribute>
|
- Expected results
... <saml:Attribute Name="ExtAttr1" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xsi:type="xs:string" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> 123 </saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="ExtAttr2" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:customNs="http://www.sample.tld/customnamespace"> <customNs:Line>Documentation</customNs:Line> <customNs:Line>Ping Identity</customNs:Line> </saml:AttributeValue> </saml:Attribute> ...
Include extensions in authentication requests
This expression includes the optional Extensions
element in the authentication requests if a certain query parameter (oid
in this example) is sent to the /sp/startSSO.ping
endpoint to start an SP-initiated SSO request.
- Message Type
-
AuthnRequestDocument
- Expression
#element = #XmlHelper.addToSaml2Extensions(#AuthnRequestDocument, '<samplens:orgId name="orgId" xmlns:samplens="urn:org.sample.wms"/>'), #value = #HttpServletRequest.getParameter('oid') == null ? 'someDefaultValue' : #HttpServletRequest.getParameter('oid') , #XmlHelper.setAttribute(#element, 'value', #value)
- Expected AuthnRequest
-
A GET request to https://<pf_host>:<pf.https.port>/sp/startSSO.ping?PartnerIdpId=<entityID>&oid=123 would trigger the following Extensions block.
<samlp:AuthnRequest ...> <saml:Issuer ...>...</saml:Issuer> <samlp:Extensions> <samplens:orgId name="orgId" value="123" xmlns:samplens="urn:org.sample.wms"/> </samlp:Extensions> ... </samlp:AuthnRequest>